Facebook discloses hack, says no user information was compromised

Facebook disclosed Friday that it was the target of a "sophisticated" cyberattack, in the latest example of malicious hackers exploiting a weakness in Java software.

The world's largest social network said there was no evidence that any Facebook members' information was compromised, in contrast with a recent Java-related attack on Twitter, where officials announced two weeks ago that up to 250,000 users' names and passwords may have been accessed.

But in the latest disclosure, Facebook reported that its investigators found clear evidence that other companies were affected by the same scheme, known as a "watering hole attack," in which hackers planted malicious software on a website frequented by developers who build mobile software applications.

Security experts say that's a classic scheme used by hackers who are hoping they will get access to all kinds of useful or valuable data, including source code, user passwords or even financial information. It's unclear whether the hackers knew that Facebook engineers were among those likely to visit the contaminated site.

Advertisement

The site transferred malicious code to the laptops of several Facebook engineers, according to a statement posted on a Facebook security blog Friday afternoon. Facebook said the infection was caught before it transferred any code to the company's main network or servers.

While the malware gave the hackers "limited visibility" into some of Facebook's servers, the company said it found no evidence that any information was "exfiltrated" or harvested from the servers. The hackers may have obtained some programming code or other data from the engineers' laptops, however.

Facebook said its engineers' laptops were equipped with up-to-date security software, but the hackers exploited a "zero-day" vulnerability, meaning a flaw in Java that security experts had not previously identified. The company's security systems eventually detected the malware last month, after a period of time that Facebook did not disclose.

A Facebook spokesman declined to comment, saying the case is under investigation. Facebook said it notified law enforcement authorities as well as officials at Oracle (ORCL), which owns the rights to Java and is responsible for producing security updates. Oracle issued a security patch for the flaw on Feb. 1.

Security experts said the Facebook and Twitter hacks appeared to be different from recent cyberattacks on several media organizations, including The New York Times, which appeared to originate from China.

The latter attacks seemed to be aimed at gathering politically sensitive information, such as the names of dissidents who spoke with Western news media, while the Twitter and Facebook hackers were more likely hoping for some kind of financial gain, said Andrew Storms, director of security operations for nCircle, a San Francisco company that sells data-security products to corporate clients.

Despite repeated patches and warnings from security experts, many believe the widely used Java software is still vulnerable to new attacks. For hackers, "the Java vulnerability is very popular right now," added George Tubin, senior security strategist at Trusteer, which sells security programs for business computers.

Contact Brandon Bailey at 408-920-5022; follow him at Twitter.com/BrandonBailey